2 require_once 'tests/utils/FakeConfigManager.php';
4 // Initialize reference data _before_ PHPUnit starts a session
5 require_once 'tests/utils/ReferenceSessionIdHashes.php';
6 ReferenceSessionIdHashes
::genAllHashes();
8 use PHPUnit\Framework\TestCase
;
9 use Shaarli\Security\SessionManager
;
12 * Test coverage for SessionManager
14 class SessionManagerTest
extends TestCase
16 /** @var array Session ID hashes */
17 protected static $sidHashes = null;
19 /** @var \FakeConfigManager ConfigManager substitute for testing */
20 protected $conf = null;
22 /** @var array $_SESSION array for testing */
23 protected $session = [];
25 /** @var SessionManager Server-side session management abstraction */
26 protected $sessionManager = null;
29 * Assign reference data
31 public static function setUpBeforeClass()
33 self
::$sidHashes = ReferenceSessionIdHashes
::getHashes();
37 * Initialize or reset test resources
39 public function setUp()
41 $this->conf
= new FakeConfigManager([
42 'credentials.login' => 'johndoe',
43 'credentials.salt' => 'salt',
44 'security.session_protection_disabled' => false,
47 $this->sessionManager
= new SessionManager($this->session
, $this->conf
);
51 * Generate a session token
53 public function testGenerateToken()
55 $token = $this->sessionManager
->generateToken();
57 $this->assertEquals(1, $this->session
['tokens'][$token]);
58 $this->assertEquals(40, strlen($token));
62 * Check a session token
64 public function testCheckToken()
66 $token = '4dccc3a45ad9d03e5542b90c37d8db6d10f2b38b';
72 $sessionManager = new SessionManager($session, $this->conf
);
74 // check and destroy the token
75 $this->assertTrue($sessionManager->checkToken($token));
76 $this->assertFalse(isset($session['tokens'][$token]));
78 // ensure the token has been destroyed
79 $this->assertFalse($sessionManager->checkToken($token));
83 * Generate and check a session token
85 public function testGenerateAndCheckToken()
87 $token = $this->sessionManager
->generateToken();
89 // ensure a token has been generated
90 $this->assertEquals(1, $this->session
['tokens'][$token]);
91 $this->assertEquals(40, strlen($token));
93 // check and destroy the token
94 $this->assertTrue($this->sessionManager
->checkToken($token));
95 $this->assertFalse(isset($this->session
['tokens'][$token]));
97 // ensure the token has been destroyed
98 $this->assertFalse($this->sessionManager
->checkToken($token));
102 * Check an invalid session token
104 public function testCheckInvalidToken()
106 $this->assertFalse($this->sessionManager
->checkToken('4dccc3a45ad9d03e5542b90c37d8db6d10f2b38b'));
110 * Test SessionManager::checkId with a valid ID - TEST ALL THE HASHES!
112 * This tests extensively covers all hash algorithms / bit representations
114 public function testIsAnyHashSessionIdValid()
116 foreach (self
::$sidHashes as $algo => $bpcs) {
117 foreach ($bpcs as $bpc => $hash) {
118 $this->assertTrue(SessionManager
::checkId($hash));
124 * Test checkId with a valid ID - SHA-1 hashes
126 public function testIsSha1SessionIdValid()
128 $this->assertTrue(SessionManager
::checkId(sha1('shaarli')));
132 * Test checkId with a valid ID - SHA-256 hashes
134 public function testIsSha256SessionIdValid()
136 $this->assertTrue(SessionManager
::checkId(hash('sha256', 'shaarli')));
140 * Test checkId with a valid ID - SHA-512 hashes
142 public function testIsSha512SessionIdValid()
144 $this->assertTrue(SessionManager
::checkId(hash('sha512', 'shaarli')));
148 * Test checkId with invalid IDs.
150 public function testIsSessionIdInvalid()
152 $this->assertFalse(SessionManager
::checkId(''));
153 $this->assertFalse(SessionManager
::checkId([]));
155 SessionManager
::checkId('c0ZqcWF3VFE2NmJBdm1HMVQ0ZHJ3UmZPbTFsNGhkNHI=')
160 * Store login information after a successful login
162 public function testStoreLoginInfo()
164 $this->sessionManager
->storeLoginInfo('ip_id');
166 $this->assertGreaterThan(time(), $this->session
['expires_on']);
167 $this->assertEquals('ip_id', $this->session
['ip']);
168 $this->assertEquals('johndoe', $this->session
['username']);
172 * Extend a server-side session by SessionManager::$SHORT_TIMEOUT
174 public function testExtendSession()
176 $this->sessionManager
->extendSession();
178 $this->assertGreaterThan(time(), $this->session
['expires_on']);
179 $this->assertLessThanOrEqual(
180 time() + SessionManager
::$SHORT_TIMEOUT,
181 $this->session
['expires_on']
186 * Extend a server-side session by SessionManager::$LONG_TIMEOUT
188 public function testExtendSessionStaySignedIn()
190 $this->sessionManager
->setStaySignedIn(true);
191 $this->sessionManager
->extendSession();
193 $this->assertGreaterThan(time(), $this->session
['expires_on']);
194 $this->assertGreaterThan(
195 time() + SessionManager
::$LONG_TIMEOUT - 10,
196 $this->session
['expires_on']
198 $this->assertLessThanOrEqual(
199 time() + SessionManager
::$LONG_TIMEOUT,
200 $this->session
['expires_on']
205 * Unset session variables after logging out
207 public function testLogout()
211 'expires_on' => time() +
1000,
212 'username' => 'johndoe',
213 'visibility' => 'public',
214 'untaggedonly' => false,
216 $this->sessionManager
->logout();
218 $this->assertFalse(isset($this->session
['ip']));
219 $this->assertFalse(isset($this->session
['expires_on']));
220 $this->assertFalse(isset($this->session
['username']));
221 $this->assertFalse(isset($this->session
['visibility']));
222 $this->assertFalse(isset($this->session
['untaggedonly']));
226 * The session is active and expiration time has been reached
228 public function testHasExpiredTimeElapsed()
230 $this->session
['expires_on'] = time() - 10;
232 $this->assertTrue($this->sessionManager
->hasSessionExpired());
236 * The session is active and expiration time has not been reached
238 public function testHasNotExpired()
240 $this->session
['expires_on'] = time() +
1000;
242 $this->assertFalse($this->sessionManager
->hasSessionExpired());
246 * Session hijacking protection is disabled, we assume the IP has not changed
248 public function testHasClientIpChangedNoSessionProtection()
250 $this->conf
->set('security.session_protection_disabled', true);
252 $this->assertFalse($this->sessionManager
->hasClientIpChanged(''));
256 * The client IP identifier has not changed
258 public function testHasClientIpChangedNope()
260 $this->session
['ip'] = 'ip_id';
261 $this->assertFalse($this->sessionManager
->hasClientIpChanged('ip_id'));
265 * The client IP identifier has changed
267 public function testHasClientIpChanged()
269 $this->session
['ip'] = 'ip_id_one';
270 $this->assertTrue($this->sessionManager
->hasClientIpChanged('ip_id_two'));